From 27351762decdc7fb57262413eca9c262a4e48b67 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Mon, 15 Nov 2021 13:23:51 -0500
Subject: [PATCH] Upload Docker images to AWS ECR Nonprod Repositories (#1713)

---
 .github/workflows/build.yml   | 86 +++++++++++++++++++++++------------
 .github/workflows/release.yml |  3 +-
 2 files changed, 58 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a4970654d1..15337f2bdf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -248,7 +248,9 @@ jobs:
         uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
         with:
           keyvault: "bitwarden-prod-kv"
-          secrets: "docker-password,
+          secrets: "aws-ecr-access-key-id,
+                    aws-ecr-secret-access-key,
+                    docker-password,
                     docker-username,
                     dct-delegate-2-repo-passphrase,
                     dct-delegate-2-key"
@@ -278,7 +280,6 @@ jobs:
           DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
         run: |
           mkdir -p ~/.docker/trust/private
-
           echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
 
       - name: Setup service name
@@ -306,34 +307,12 @@ jobs:
         run: |
           if [ "${{ matrix.service_name }}" = "K8S-Proxy" ]; then
             docker build -f ${{ matrix.base_path }}/Nginx/Dockerfile-k8s \
-              -t ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} ${{ matrix.base_path }}/Nginx
+              -t ${{ steps.setup.outputs.service_name }} ${{ matrix.base_path }}/Nginx
           else
-            docker build -t ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
+            docker build -t ${{ steps.setup.outputs.service_name }} \
               ${{ matrix.base_path }}/${{ matrix.service_name }}
           fi
 
-      - name: Tag rc
-        if: github.ref == 'refs/heads/rc'
-        run: |
-          docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
-            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
-
-      - name: Tag hotfix
-        if: github.ref == 'refs/heads/hotfix'
-        run: |
-          docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
-            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
-
-      - name: Tag dev
-        if: github.ref == 'refs/heads/master'
-        run: |
-          docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
-            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
-
-      - name: List Docker images
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
-        run: docker images
-
       - name: Docker Trust setup
         if: |
           matrix.docker_repo == 'bitwarden'
@@ -342,27 +321,74 @@ jobs:
           DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
         run: |
           echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
-          echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV
+          echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV  
 
-      - name: Push rc images
+      - name: Tag and Push RC to Docker Hub
         if: github.ref == 'refs/heads/rc'
         run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
           docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
 
-      - name: Push hotfix images
+      - name: Tag and Push Hotfix to Docker Hub
         if: github.ref == 'refs/heads/hotfix'
         run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
           docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
 
-      - name: Push dev images
+      - name: Tag and Push Dev to Docker Hub
         if: github.ref == 'refs/heads/master'
         run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
           docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
 
       - name: Log out of Docker
         if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
         run: docker logout
 
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@0d9a5be0dceea74e09396820e1e522ba4a110d2f  # v1
+        with:
+          aws-access-key-id: ${{ steps.retrieve-secrets.outputs.aws-ecr-access-key-id }}
+          aws-secret-access-key: ${{ steps.retrieve-secrets.outputs.aws-ecr-secret-access-key }}
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2  # v1
+
+      - name: Tag and Push RC to AWS ECR nonprod registry
+        if: github.ref == 'refs/heads/rc'
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:rc-${IMAGE_TAG:(-8)}
+          docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:rc-${IMAGE_TAG:(-8)}
+
+      - name: Tag and Push Hotfix to AWS ECR nonprod registry
+        if: github.ref == 'refs/heads/hotfix'
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:hotfix-${IMAGE_TAG:(-8)}
+          docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:hotfix-${IMAGE_TAG:(-8)}
+
+      - name: Tag and Push Dev to AWS ECR nonprod registry
+        if: github.ref == 'refs/heads/master'
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker tag ${{ steps.setup.outputs.service_name }} \
+            $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:dev-${IMAGE_TAG:(-8)}
+          docker push $ECR_REGISTRY/nonprod/${{ steps.setup.outputs.service_name }}:dev-${IMAGE_TAG:(-8)}
+
 
   upload:
     name: Upload
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 63a3a3888b..c56f642c71 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -117,7 +117,8 @@ jobs:
   release-docker:
     name: Build Docker images
     runs-on: ubuntu-20.04
-    needs: setup
+    needs:
+      - setup
     env:
       _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
       _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}